Raspberry Robin Scenario: Community First Bank Network
Planning Resources
Scenario Details for IMs
Community First Bank: Regional Banking Network During USB-Driven Transaction Processing
Quick Reference
- Organization: Regional bank with 45 branch locations, 1,200 employees processing customer financial transactions
- Key Assets at Risk: Customer financial data across branch network, Banking operations and transaction processing systems, Financial regulatory compliance, Transaction security
- Business Pressure: Month-end transaction processing peak operations—banking system failures affect customer accounts, financial regulatory compliance at risk during critical processing window
- Core Dilemma: Continue USB-based transaction reconciliation maintaining banking operations BUT allows malware propagation through customer account systems, OR Halt USB use for containment BUT disrupts transaction processing and audit procedures affecting customer services
Detailed Context
Organization Profile
Regional bank with 45 branch locations, 1,200 employees
Key Assets At Risk: - Customer financial data - Banking operations - Regulatory compliance - Financial transaction security
Business Pressure
- Month-end transaction processing - banking system failures affect customer accounts
- Financial regulatory compliance at risk
Cultural Factors
- Bank employees routinely use USB drives for transaction reconciliation, audit procedures, and data transfer between branch locations
- USB malware exploits legitimate banking workflows to spread between customer account systems and financial transaction networks
- Infected systems include customer account databases, transaction processing, and financial audit systems
Opening Presentation
“It’s the last business day of the month at Community First Bank, and all 45 branch locations are processing peak transaction volumes for month-end reconciliation. Branch managers across the network are reporting that USB drives used for daily audit procedures and transaction data transfers are behaving strangely - creating mysterious folder-like files that spread to every system they touch. The USB-based worm is propagating through routine banking workflows, affecting customer account systems and financial transaction networks. Federal banking regulators require immediate notification of any customer data compromise.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Compliance officer reports federal banking regulations require customer data breach notification within 24 hours
- Hour 2: Regional director confirms USB malware has spread to 35 of 45 branch locations through routine banking workflows
- Hour 3: IT security discovers infected USB drives have accessed customer account databases and transaction processing systems
- Hour 4: Federal banking examiner calls requesting incident status update and potential regulatory enforcement timeline
Evolution Triggers:
- If USB malware continues spreading, all branch locations and central banking systems could be compromised
- If customer data breach is confirmed, federal notification requirements and regulatory enforcement actions activate
- If transaction processing systems are disrupted, month-end reconciliation fails affecting customer accounts across the network
Resolution Pathways:
Technical Success Indicators:
- Team identifies USB worm propagation mechanisms and infection vectors through banking workflows
- Banking network security enhanced through comprehensive USB malware removal and device control policies
- Transaction processing and customer account system integrity restored across all branch locations
Business Success Indicators:
- Month-end transaction processing completed successfully despite USB malware outbreak
- Customer financial data protected throughout incident response with minimal account disruption
- Federal banking regulatory compliance maintained through proper breach assessment and notification
Learning Success Indicators:
- Team understands USB-based malware propagation in banking environments and workflow exploitation
- Participants recognize financial sector cybersecurity challenges and regulatory compliance requirements
- Group demonstrates coordination between banking operations, security, and regulatory compliance
Common IM Facilitation Challenges:
If Banking Regulatory Complexity Is Overwhelming:
“The federal banking regulations are detailed, but the core requirement is simple: if customer account data was accessed by malware, you must notify regulators and affected customers within specific timeframes. Focus on determining what data was compromised.”
If USB Workflow Exploitation Is Underestimated:
“Carlos just confirmed that every branch uses USB drives for daily transaction reconciliation - it’s required by your audit procedures. The malware is spreading through your most routine and trusted banking workflows. How do you stop a worm that travels through your standard operating procedures?”
If Multi-Branch Coordination Is Missed:
“Janet reports that infected USB drives have been used at 35 different branch locations in the past week. Each branch shares USB audit procedures with multiple other branches. How do you coordinate USB malware response across a distributed banking network?”
Success Metrics for Session:
Template Compatibility
This scenario adapts to multiple session formats with appropriate scope and timing:
Quick Demo (35-40 minutes)
Structure: 3 investigation rounds, 1 decision round Focus: Core USB worm discovery and immediate banking network containment Simplified Elements: Streamlined regulatory compliance and multi-branch coordination complexity Key Actions: Identify USB malware propagation, implement emergency device controls, coordinate branch notification
Lunch & Learn (75-90 minutes)
Structure: 5 investigation rounds, 2 decision rounds Focus: Comprehensive USB workflow investigation and customer data protection Added Depth: Federal banking regulation requirements and transaction processing security Key Actions: Complete forensic analysis of USB worm spread, coordinate regulatory notification, restore banking operations with verification
Full Game (120-140 minutes)
Structure: 7 investigation rounds, 3 decision rounds Focus: Complete multi-branch USB outbreak response with federal regulatory coordination Full Complexity: Customer data breach assessment, federal examiner coordination, long-term USB security policy development Key Actions: Comprehensive USB malware containment across 45 branches, coordinate federal compliance response, implement enhanced banking workflow security
Advanced Challenge (150-170 minutes)
Structure: 8-9 investigation rounds, 4 decision rounds Expert Elements: Banking regulatory technical depth, multi-branch coordination complexity, customer notification strategy Additional Challenges: Mid-scenario month-end deadline pressure, federal examiner inspection, customer data forensics complexity Key Actions: Complete investigation under banking operational constraints, coordinate multi-branch and federal response, implement comprehensive USB security architecture while maintaining transaction processing
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Progressive hints to maintain engagement and learning momentum:
Pre-Defined Response Options
Three balanced response approaches with trade-offs:
Option A: Emergency USB Lockdown & Complete System Rebuild
- Action: Immediately disable all USB ports across all 45 branch locations, implement complete malware removal and system rebuild, halt all USB-based audit procedures until clean devices and new security policies are in place, coordinate extended regulatory notification timeline with federal banking examiners.
- Pros: Ensures absolute certainty of malware elimination and prevents any reinfection, provides thorough investigation of customer data exposure, demonstrates unwavering commitment to banking security, eliminates USB propagation vector completely.
- Cons: Disrupts month-end transaction reconciliation requiring manual workarounds at all branches, delays audit compliance procedures affecting regulatory requirements, requires procurement and distribution of 200+ secured USB devices, extends incident timeline by 2-3 weeks.
- Type Effectiveness: Super effective against Worm malmon type; complete USB lockdown prevents propagation and ensures banking network security with zero reinfection risk.
Option B: Accelerated Parallel Response & Conditional USB Restoration
- Action: Conduct intensive 72-hour malware removal across all affected branches using coordinated response teams, implement enhanced USB device scanning and control policies, coordinate real-time customer data assessment with federal compliance for expedited notification authorization while maintaining essential banking workflows.
- Pros: Balances banking operations with security response requirements, provides compressed but thorough USB malware containment, demonstrates agile multi-branch incident management, maintains critical transaction processing while addressing outbreak.
- Cons: Requires extraordinary coordination across 45 branch locations and sustained 24/7 operations, compressed timeline increases risk of incomplete malware removal at some branches, maintains some operational uncertainty during USB restoration phase, intensive resource stress across regional banking network.
- Type Effectiveness: Moderately effective against Worm malmon type; addresses immediate banking security concerns while restoring operations, but compressed multi-branch timeline may not fully eliminate persistent USB infections or prevent isolated reinfection events.
Option C: Selective Branch Isolation & Phased Security Recovery
- Action: Isolate confirmed infected branches from USB workflow procedures, implement immediate USB scanning and verification protocols for uninfected branches, maintain critical month-end processing using verified clean drives while conducting thorough malware investigation at infected locations, coordinate phased security restoration aligned with banking operational priorities.
- Pros: Maintains month-end transaction processing and banking operations continuity, allows audit compliance with verified clean USB procedures, provides time for comprehensive USB malware investigation and customer data assessment, demonstrates sophisticated risk management across distributed banking network.
- Cons: Operates with partially contained outbreak requiring sustained vigilance at uninfected branches, requires intensive USB verification and manual monitoring increasing operational complexity, extended containment window across 45 locations, depends on effectiveness of branch isolation and USB verification procedures against worm reintroduction.
- Type Effectiveness: Partially effective against Worm malmon type; addresses immediate banking operational requirements through isolation and verification, but extended multi-branch containment creates ongoing reinfection risk if USB procedures aren’t perfectly controlled across distributed network.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Discovery & Multi-Branch Assessment (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Branch Operations Manager Diana Chen calls from the downtown branch. “Our USB drives for daily transaction reconciliation are creating weird files - folders called ‘Bank_Audit_Data’ and ‘Transaction_Files’ that don’t open properly. It started yesterday, but now it’s happening on every USB we use.”
- Clue 2 (Minute 10): USB forensics reveal Raspberry Robin worm using LNK file disguises to propagate through banking workflows. The malware spreads automatically when USB drives are inserted for routine branch audit procedures - exactly how bank employees use USB every single day across all 45 locations.
- Clue 3 (Minute 15): Regional Director Janet Foster reports alarming spread: “We track USB audit drive rotation between branches. Based on the schedules, infected drives have potentially visited 35 of our 45 branches in the past 5 days. This is spreading faster than we can investigate it.”
- Clue 4 (Minute 20): IT Security Manager Carlos Martinez discovers infected USB drives have accessed customer account databases during routine data transfers. “These USB drives are used to copy transaction data between branch systems and central processing. The worm has touched our customer account systems containing personal and financial information.”
Response Options:
- Option A: Immediate Network-Wide USB Shutdown - Disable all USB ports at all 45 branch locations immediately, halt USB-based audit and reconciliation procedures, implement emergency manual processes for month-end transaction processing.
- Pros: Completely stops worm propagation across banking network; prevents further customer data exposure; demonstrates decisive security action.
- Cons: Disrupts month-end processing critical for customer accounts; delays audit compliance affecting regulatory requirements; branch employees lack manual procedures for some operations.
- Type Effectiveness: Super effective - immediately halts USB worm propagation but creates significant banking operational challenges.
- Option B: Enhanced USB Monitoring with Branch Coordination - Implement USB scanning software at all branches, prioritize infected branch remediation, coordinate enhanced logging and monitoring while allowing continued operations with strict USB protocols.
- Pros: Balances security with critical banking operations; maintains month-end processing capability; enables tracking of multi-branch propagation patterns.
- Cons: Worm continues spreading during scanning deployment; coordinating 45 branches increases complexity; doesn’t guarantee protection if scanning misses sophisticated malware.
- Type Effectiveness: Moderately effective - reduces but doesn’t eliminate propagation; requires perfect coordination across distributed banking network.
- Option C: Infected Branch Isolation - Quarantine confirmed infected branches from USB audit workflows, establish strict USB sanitization protocols for uninfected branches, accept continued infection in isolated branches temporarily while maintaining critical operations.
- Pros: Protects uninfected branches from immediate spread; maintains banking operations at majority of locations; targeted approach prioritizes clean network protection.
- Cons: Infected branches operate with degraded capabilities; differential security creates confusion; potential customer data exposure continues at isolated branches.
- Type Effectiveness: Partially effective - protects clean areas but allows propagation within isolated zones.
Round 2: Customer Data & Regulatory Compliance (30-35 min)
Investigation Clues:
- Clue 5 (Minute 30): If Option A (shutdown) was chosen: Janet reports severe operational impact: “Branches can’t complete month-end reconciliation without USB drives. We’re facing audit compliance failures and customer account discrepancies. Banking regulators won’t accept delayed reporting.”
- Clue 5 (Minute 30): If Option B or C was chosen: Carlos discovers continued worm spread despite controls: “The malware is reinfecting clean USB drives when employees use them on systems we haven’t fully remediated yet. Our scanning isn’t catching all variants.”
- Clue 6 (Minute 40): Compliance Officer Robert Kim completes customer data assessment: “Infected USB drives accessed account databases containing information for approximately 125,000 customers - account numbers, balances, transaction histories, personal information. Federal banking regulations require breach notification within 24 hours to regulators and 30 days to affected customers.”
- Clue 7 (Minute 50): External threat intelligence reveals Raspberry Robin in financial institutions typically leads to follow-on attacks: Ransomware deployment (LockBit targeting bank backup systems) or data exfiltration for fraud. “This USB worm is initial access for financial crime operations. Your customer data may be the target.”
- Clue 8 (Minute 55): Federal banking examiner calls requesting incident briefing. “We received automated alert about potential customer data compromise at Community First Bank. We need full incident report including customer impact assessment, remediation timeline, and notification procedures. When can you provide that?”
Response Options:
- Option A: Comprehensive Banking Security Remediation - Complete USB worm removal across all 45 branches with federal forensics support, implement enterprise USB security controls, conduct thorough customer data breach assessment, coordinate federal regulatory notifications and customer breach letters.
- Pros: Eliminates all USB infections protecting customer data and banking operations; demonstrates full compliance with federal banking regulations; provides definitive customer impact assessment.
- Cons: Extended remediation disrupts normal banking operations (2-3 weeks); customer breach notification creates trust concerns and potential account closures; federal forensics costs $200K+; regulatory scrutiny intensifies.
- Type Effectiveness: Super effective - comprehensive security restoration with complete worm elimination but maximum operational and reputational impact.
- Option B: Customer Protection Prioritized Response - Immediate remediation of customer-facing systems and account databases, establish sanitized USB workflow for critical banking operations, implement real-time monitoring, conduct targeted customer data assessment for confirmed exposure only.
- Pros: Maintains customer account security as absolute priority; attempts month-end processing completion; demonstrates customer-centric risk management.
- Cons: Administrative systems may remain infected; customer impact assessment may be incomplete; federal regulators may question partial response approach.
- Type Effectiveness: Moderately effective - protects customer data systems but may leave gaps in overall banking security.
- Option C: FS-ISAC Collaboration & Industry Coordination - Engage Financial Services Information Sharing and Analysis Center for Raspberry Robin banking intelligence, coordinate with core banking system vendors for remediation guidance, request federal examiner accommodation while demonstrating proactive response.
- Pros: Leverages financial sector expertise on USB worm banking impacts; vendor collaboration improves remediation quality; federal relationship management demonstrates professionalism.
- Cons: External coordination extends response timeline; information sharing reveals security gaps to industry peers; admission of limited internal financial cybersecurity capability.
- Type Effectiveness: Moderately effective - improves response quality through collaboration but may extend timeline beyond regulatory comfort.
Round Transition Narrative
After Round 1 → Round 2:
The team’s initial response determines whether the bank faces immediate operational disruption (shutdown approach) or continued multi-branch worm propagation (monitoring/isolation approach). Either way, the situation escalates dramatically when Compliance Officer Robert Kim reveals that infected USB drives have accessed customer account databases containing personal and financial information for 125,000 customers. Federal banking regulations trigger strict notification timelines - 24 hours to regulators, 30 days to affected customers. This transforms the incident from an internal IT problem to a federal regulatory compliance crisis with potential customer trust and business impact. Additionally, threat intelligence reveals Raspberry Robin in financial institutions typically precedes ransomware attacks or fraud operations targeting customer data. A federal banking examiner calls requesting incident details, adding regulatory oversight pressure to the technical response. The team must now balance customer data protection, federal compliance, banking operational continuity, and multi-branch security coordination simultaneously under regulatory scrutiny.
Debrief Focus:
- Recognition of USB-based propagation in distributed banking networks
- Federal banking regulatory compliance and customer data protection
- Multi-branch coordination challenges in incident response
- Customer trust and financial sector reputation management
- FS-ISAC and banking industry collaboration
Full Game Materials (120-140 min, 3 rounds)
Round 1: Initial Discovery & Banking Network Impact (35-40 min)
Opening Scenario:
It’s the last business day of the month at Community First Bank, and all 45 branch locations are processing peak transaction volumes. Regional Director Janet Foster is reviewing month-end reports when her phone starts ringing with calls from multiple branch managers.
“The USB drives for our daily audit procedures are acting strange,” reports the downtown branch manager. “Files are appearing that look like folders - ‘Audit_Data’, ‘Transaction_Reconciliation’ - but they don’t open. And the systems are slower after we use the drives.”
As Janet starts investigating, similar reports flood in from branches across the region. The USB drives used for routine transaction reconciliation and audit compliance - drives that rotate between branches on a weekly schedule - are spreading infection faster than anyone realized was possible.
IT Security Manager Carlos Martinez convenes an emergency response team: “If this malware is spreading through our audit USB drives, and those drives visit multiple branches every week, we could have network-wide contamination within days. And month-end processing can’t afford any delays.”
Team Action: Each player takes 2 actions to investigate the incident using their role’s capabilities. The IM should track what the team discovers based on their investigation choices.
Investigation Discoveries (based on role and approach):
Detective-focused investigations:
- USB drive forensics reveal Raspberry Robin worm creating malicious LNK files disguised as legitimate banking data folders
- Malware propagates automatically when USB drives are inserted - requires no user interaction beyond normal audit procedures
- Timeline analysis shows initial infection likely introduced 7-10 days ago, spreading through weekly USB rotation cycles
- Memory forensics reveal worm attempts to establish persistence and external network connectivity from banking systems
Protector-focused investigations:
- Banking network architecture review shows USB drives are essential for audit compliance and branch-to-regional data transfers
- Security assessment reveals traditional network protections don’t detect or prevent USB-based propagation
- Customer account database security analysis shows USB drives have access for backup and reconciliation procedures
- Branch security posture varies significantly - some locations have USB controls, many do not
Tracker-focused investigations:
- USB device rotation tracking shows systematic propagation pattern: drives visit 4-5 branches per week
- Banking workflow analysis reveals 200+ USB insertions daily across 45-branch network for audit and reconciliation
- Network monitoring detects attempted external connections from infected systems (mostly blocked by firewalls)
- Evidence of USB drives moving between customer account systems, transaction processing, and administrative networks
Communicator-focused investigations:
- Branch manager interviews reveal USB audit procedures are federally mandated for banking compliance
- Operations staff report USB drives are shared between branches to reduce costs - “We have 30 USB drives for 45 branches”
- Compliance officer notes USB drives used for audit also transfer customer data for regulatory reporting
- Customer-facing staff unaware of USB malware but concerned about any system disruptions affecting account access
Key NPCs and Interactions:
Janet Foster (Regional Director):
- Responsible for operations across 45 branch locations and 1,200 employees
- Under pressure from bank executives to maintain month-end processing and customer service
- Balancing security response with banking operational requirements and regulatory compliance
- Perspective: “We have federal audit deadlines, month-end reconciliation requirements, and 125,000 customers depending on accurate account information. Tell me how we fix this security problem without disrupting the banking operations those customers rely on.”
Carlos Martinez (IT Security Manager):
- Banking IT background but facing unprecedented multi-branch USB propagation scenario
- Discovering that distributed branch network creates unique containment challenges
- Frustrated by USB dependency in federally mandated audit procedures
- Reality check: “I can implement USB controls at headquarters in a day. But coordinating security changes across 45 branches with different systems, staff, and operational constraints? That’s weeks of work. And this malware is spreading right now.”
Diana Chen (Branch Operations Manager):
- Manages daily operations and audit compliance across branch network
- Caught between IT security requirements and banking operational necessities
- Expert on banking workflows but unfamiliar with cybersecurity incident response
- Conflict point: “You want to disable USB? Our audit procedures are federally mandated - we can’t just stop doing them because of malware. The banking examiners will shut us down for non-compliance before cybersecurity does.”
Robert Kim (Compliance Officer):
- Responsible for federal banking regulatory compliance and customer data protection
- Must assess breach notification requirements under federal banking regulations
- Concerned about reputational damage and customer trust impact
- Pressure point: “If customer account data was accessed by malware, we have 24 hours to notify federal regulators and 30 days to notify affected customers. This triggers a compliance cascade with serious regulatory and reputational consequences.”
Round 1 Pressure Events:
These occur during the 35-40 minute investigation period, building tension:
- 15 minutes in: Branch manager reports customer account discrepancy discovered during reconciliation. USB malware may have corrupted transaction data. “We can’t verify if this is malware impact or normal error until we clean the systems.”
- 25 minutes in: Carlos discovers infected USB drives accessed customer account databases. Robert must assess if personal information (names, addresses, SSNs) or just account numbers were exposed. “This could trigger federal breach notification requirements.”
- 30 minutes in: Federal banking examiner’s routine call: “We’re scheduling our quarterly review next week. We’ll be examining your audit compliance and cybersecurity program. Any incidents we should be aware of?” Decision: disclose now or after remediation?
Round 1 Conclusion:
After investigations, the team should understand they’re facing multi-branch USB worm propagation through essential banking audit workflows, affecting customer account systems across distributed branch network, during critical month-end processing when regulatory compliance is paramount. Janet asks: “Based on what you’ve discovered, what’s your response strategy that protects our customers, maintains banking operations, and satisfies federal regulators?”
Round 2: Response Strategy & Federal Regulatory Pressure (35-40 min)
Situation Development:
The team’s initial response strategy meets the complex reality of distributed banking operations. If they chose USB shutdown, branches cannot complete federally required audits. If they implemented monitoring, worm propagation continues through shared USB drives. If they focused on isolation, customer data exposure expands to additional branches.
More critically, federal regulatory requirements and customer data protection obligations transform technical incident to compliance crisis.
Opening:
External threat intelligence from FS-ISAC: Raspberry Robin infections at financial institutions over the past year have led to follow-on ransomware attacks (LockBit, BianLian targeting banking systems) and data exfiltration for account fraud operations. “USB worm is initial access for sophisticated financial crime. Your customer account data is the ultimate target, and you’re in the threat actors’ pipeline.”
Simultaneously, Robert Kim completes customer data breach assessment: infected USB drives accessed account databases at 35 branches containing personal information (names, addresses, phone numbers, account numbers, transaction histories) for approximately 125,000 customers. “Under federal banking regulations - GLBA, state breach notification laws - we must notify regulators within 24 hours and customers within 30 days if unauthorized access occurred. The clock started when we discovered the compromise.”
Diana reports banking operations pressure: “Month-end reconciliation deadline is tomorrow. Without USB drives for audit data transfers, we’ll fail federal compliance requirements. Banking examiners will impose penalties for non-compliant audit procedures - potentially more severe than cybersecurity issues.”
Federal banking examiner calls: “We received automated alert from your systems about unusual activity. We need incident briefing including customer impact, remediation timeline, and notification procedures. Can you provide that today?”
Team Action: Each player takes 2 actions to develop comprehensive response strategy, considering:
- Customer data protection and breach notification compliance
- Banking operational continuity and federal audit requirements
- Multi-branch security coordination and USB malware containment
- Federal regulatory relationship management and examiner oversight
Response Options and Consequences:
Comprehensive Multi-Branch Remediation:
- Implementation: Complete USB worm removal across all 45 branches with federal forensics support, implement enterprise USB security controls for banking environment, conduct thorough customer data breach assessment with external legal guidance, coordinate federal regulatory notifications and customer breach letters
- Immediate Effects: Extended remediation disrupts banking operations (2-3 weeks), fails month-end audit compliance triggering regulatory penalties, customer breach notification creates account closure risk, federal forensics and legal costs $300K+
- Outcome: Complete USB worm elimination protects customer data long-term, definitive breach determination supports regulatory compliance, demonstrates commitment to banking security, federal examiners note thoroughness despite operational impact
- Learning: Shows comprehensive security prioritization and resulting business/compliance consequences, value of external forensics in financial breach assessment
Customer Protection Prioritized Approach:
- Implementation: Immediate remediation of customer-facing systems and account databases across all branches, establish sanitized USB workflow for critical month-end operations, implement real-time USB monitoring, conduct targeted breach assessment for confirmed customer data exposure
- Immediate Effects: Maintains customer account security and month-end processing capability, reduces operational disruption through prioritization, balances security with banking mission
- Outcome: Customer data systems protected but administrative infrastructure may remain infected risking follow-on attacks, breach assessment may be incomplete requiring extended investigation, demonstrates customer-centric response approach
- Learning: Illustrates banking risk prioritization and tradeoffs between comprehensive security and customer service continuity
FS-ISAC Collaboration & Federal Coordination:
- Implementation: Engage FS-ISAC for Raspberry Robin banking intelligence sharing, coordinate with core banking vendors (Fiserv, Jack Henry) for remediation guidance, maintain transparent communication with federal examiners about incident response and timeline
- Immediate Effects: Leverages financial sector expertise on USB worm banking impacts, vendor collaboration provides industry-specific remediation paths, federal examiner transparency demonstrates mature regulatory relationship
- Outcome: Improved response quality through sector knowledge sharing, potential examiner accommodation based on proactive communication, demonstrates financial industry cybersecurity collaboration
- Learning: Shows value of FS-ISAC and banking sector partnerships, importance of federal regulatory relationship management during incidents
Phased Branch Recovery with Customer Communication:
- Implementation: Phase response by branch criticality and infection status, start with highest customer volume branches, roll out USB security controls progressively, conduct staged customer breach assessment as branches are cleaned, coordinate customer communication strategy with marketing and legal
- Immediate Effects: Minimizes overall banking disruption through staged approach, allows continued operations at clean branches, demonstrates thoughtful customer impact management
- Outcome: Extended remediation timeline (4 weeks) keeps some branches vulnerable to follow-on attacks longer, progressive breach assessment complicates federal notification, shows sophisticated multi-branch incident response
- Learning: Demonstrates phased incident response in distributed banking environment, customer communication challenges in partial breach scenarios
Emergency Federal Notification with Minimal Details:
- Implementation: Immediately notify federal regulators of potential customer data compromise with preliminary assessment, request extended investigation timeline, implement maximum-effort USB remediation while forensic investigation continues, delay customer notification until definitive breach determination
- Immediate Effects: Satisfies 24-hour federal notification requirement with limited information, buys time for thorough investigation, maintains regulatory compliance under uncertainty
- Outcome: Federal examiners may scrutinize preliminary notification quality, extended customer notification timeline creates uncertainty, demonstrates prioritization of regulatory compliance over operational concerns
- Learning: Shows federal regulatory notification strategies under incomplete information, challenges of breach determination with sophisticated malware
Round 2 Pressure Events:
Building tension during response implementation:
- 15 minutes in: Core banking system vendor reports USB remediation on transaction processing systems requires coordination with their technical support - 48-hour minimum timeline per branch for vendor-assisted clean-up. “We need to ensure customer data integrity after malware removal.”
- 25 minutes in: FS-ISAC shares intelligence: Bank in neighboring state experienced LockBit ransomware 5 weeks after Raspberry Robin infection. Customer account backup systems were primary target. “Your backup infrastructure is likely being probed right now.”
- 30 minutes in: Customer data forensics preliminary finding: Evidence suggests customer information was accessed but no definitive proof of exfiltration yet. “We need 7-10 days for complete analysis to determine if data left your network.” Federal notification timeline is 24 hours with incomplete information.
- 35 minutes in: Local media reports: “Sources indicate Community First Bank experiencing cybersecurity incident affecting customer accounts.” Customers calling branches demanding information. Marketing/PR crisis developing alongside technical incident.
Round 2 Conclusion:
Regardless of chosen approach, the team is managing intersecting banking challenges: customer data protection (federal regulatory requirement), operational continuity (month-end processing and audit compliance), multi-branch coordination (45 distributed locations), regulatory oversight (federal examiner involvement), and reputation management (customer trust and media attention). The incident has evolved from USB malware to comprehensive banking crisis requiring integration of security, compliance, operations, customer service, and regulatory relationship management. Janet states: “We need your recommendations. 125,000 customers, 1,200 employees, and federal banking regulators are all depending on us to make the right call.”
Round 3: Resolution & Financial Sector Security Lessons (35-40 min)
Final Situation:
Two weeks after initial discovery, the USB worm response is reaching conclusion. Depending on the team’s Round 2 response strategy:
If comprehensive remediation: All 45 branches cleaned of Raspberry Robin infection. Federal forensics determined customer data was accessed but no evidence of exfiltration. Breach notification sent to 125,000 customers and federal regulators. USB security controls implemented across banking network. No follow-on attacks occurred.
However, month-end audit compliance was failed, resulting in $150K regulatory penalties. Customer breach notification resulted in 3% account closure rate (3,750 customers, $45M deposits). Federal forensics and incident response costs totaled $350K. Some branches operated with reduced capabilities for 2 weeks. Federal examiners increased oversight intensity for next 12 months.
If customer protection prioritized: Customer-facing systems successfully protected throughout incident. Month-end processing completed maintaining audit compliance. However, administrative systems experienced follow-on attack 4 weeks later - attempted LockBit ransomware deployment (contained but required additional response). Customer breach assessment extended to 6 weeks creating notification timeline concerns with regulators.
The prioritization saved customer relationships and maintained banking operations but left security gaps risking additional incidents. Federal examiners questioned incomplete remediation approach.
If FS-ISAC collaboration: Financial sector intelligence sharing yielded valuable Raspberry Robin banking-specific remediation guidance. Core banking vendor support accelerated response by 40%. Federal examiner transparency resulted in accommodation for extended investigation before customer notification. Collaborative approach improved response quality.
External coordination costs $200K but preserved customer trust through managed communication. FS-ISAC participation strengthened industry reputation. Federal examiner relationship enhanced through proactive transparency.
If phased recovery: Staged remediation successfully balanced customer service with security restoration across 45 branches. High-volume branches remediated first minimizing customer impact. Month-end processing maintained through phased approach. Customer breach notification based on progressive assessment communicated confidence in thorough investigation.
Extended 4-week timeline kept some branches vulnerable but enabled continued banking operations. Federal examiners appreciated methodical approach but questioned vulnerability window. Demonstrated sophisticated multi-branch incident response.
If emergency federal notification: Preliminary notification satisfied 24-hour regulatory requirement. Extended investigation timeline revealed partial customer data exposure requiring notification to 85,000 customers (vs initial 125,000 estimate). Federal examiners accepted investigation rationale but scrutinized preliminary notification accuracy.
Customer notification delay created PR challenges when local media reported incident before official bank communication. Marketing/customer service challenges required significant damage control efforts.
Team Action - Part 1: Incident Closure (15-20 min):
Each player takes 1-2 actions to: - Complete any remaining technical remediation or validation - Finalize customer breach notification and federal regulatory reporting - Document lessons learned for banking security improvement - Present recommendations to bank executive leadership for USB security architecture
Team Action - Part 2: Financial Sector Security Learning (15-20 min):
The IM facilitates group discussion on banking cybersecurity lessons:
Facilitation Questions:
- “What makes financial sector cybersecurity different from other industries?”
- Guide toward: Customer data protection primacy, federal regulatory compliance, operational continuity requirements, distributed branch networks, reputation/trust sensitivity
- “How do USB-based threats challenge distributed banking networks?”
- Guide toward: Multi-branch propagation through shared devices, audit compliance creating USB dependency, branch coordination complexity, physical media bypassing network security
- “What role does federal regulatory compliance play in banking cybersecurity?”
- Guide toward: Strict notification timelines (24 hours to regulators, 30 days to customers), examiner oversight, audit requirements, GLBA and state breach laws, regulatory relationship management
- “How should banks balance security and operational continuity?”
- Guide toward: Customer service priorities, month-end processing requirements, audit compliance obligations, risk-based prioritization, branch coordination
- “What partnerships and resources are valuable for financial cybersecurity?”
- Guide toward: FS-ISAC threat intelligence, core banking vendors, federal banking agencies (FDIC, OCC, Federal Reserve), legal counsel, forensics firms
- “How have USB threats evolved in financial services, and what does the future look like?”
- Guide toward: USB as initial access for financial fraud and ransomware, supply chain USB compromise, BadUSB and firmware attacks, zero-trust approaches to removable media in banking
Victory Conditions Assessment:
Technical Success:
Business Success:
Learning Success:
Final Debrief Topics:
Financial Sector Security Challenges:
- Customer data protection is paramount in banking cybersecurity decisions
- Federal regulatory compliance creates strict timelines and oversight requirements
- Distributed branch networks create unique coordination and containment challenges
- Banking operational continuity (month-end processing, audit compliance) constrains security response
USB Threat Landscape in Banking:
- Raspberry Robin demonstrates USB worm evolution to initial access for financial crime
- Multi-branch networks enable rapid USB propagation through shared devices and workflows
- Audit compliance creates USB dependency that’s difficult to restrict
- Supply chain and vendor USB introduces risks beyond organizational control
Banking Incident Response:
- Requires integration of security, compliance, operations, customer service, and regulatory relationship management
- Federal regulatory notification obligations must be balanced with investigation thoroughness
- Customer communication and trust management critical during breach scenarios
- External support (FS-ISAC, vendors, forensics, legal) provides specialized financial sector capabilities
Regulatory and Compliance:
- 24-hour federal notification requirement forces decisions with incomplete information
- 30-day customer notification timeline requires rapid breach determination
- Federal examiner relationships built through transparency and proactive communication
- Audit compliance failures can result in regulatory penalties alongside cybersecurity consequences
Future Considerations:
- Zero-trust approaches to removable media in banking environments
- Multi-branch security architecture with centralized visibility and distributed implementation
- FS-ISAC participation and financial sector threat intelligence sharing
- Customer communication strategies for cyber incidents balancing transparency and trust
Round 3 Conclusion:
Janet addresses the team: “You’ve navigated the unique challenge of banking cybersecurity - protecting 125,000 customers’ financial data while maintaining the operations they depend on, satisfying federal regulators with strict timelines, and coordinating security across 45 distributed branches. Banking isn’t like other industries - customer trust is our most valuable asset, and cybersecurity incidents directly threaten that trust. You’ve demonstrated the thoughtful, customer-centered, compliance-aware approach we need. Our customers and our regulators deserve nothing less.”
Advanced Challenge Materials (150-170 min, 3 rounds)
Additional Complexity Layers
For experienced teams seeking maximum challenge, add these complexity elements:
1. Federal Banking Regulatory Complexity
Multi-Agency Oversight:
- Different regulators for different bank operations: FDIC (deposits), OCC (national banks), State banking authorities, CFPB (consumer protection)
- Each agency has different notification requirements, timelines, and enforcement priorities
- Compliance with GLBA (Gramm-Leach-Bliley Act), state breach notification laws, and banking-specific cybersecurity guidance
- Federal examiners can impose enforcement actions, fines, or increased oversight based on incident response
Implementation: Introduce realistic banking regulatory complexity where different agencies have competing requirements. Make players navigate FDIC, OCC, and state agency notifications with varying timelines. Create tension between regulatory compliance speed and investigation thoroughness.
2. Customer Trust and Account Closure Crisis
Customer Impact:
- During Round 1: Major customer (small business with $2M in accounts) threatens to move banking relationship due to security concerns
- During Round 2: Customer breach notification results in 5% immediate account closure rate in first 48 hours
- During Round 3: Local media investigation creates public relations crisis affecting new account acquisition
Business Consequences:
- Account closures reduce deposit base affecting bank’s lending capacity and profitability
- Lost customer relationships represent 10+ year lifetime value ($500-1,000 per customer)
- Reputational damage in local market where Community First Bank is established institution
- Competitor banks targeting Community First customers with “security-focused” marketing
Implementation: Introduce actual customer account closures and business relationship losses during scenario. Make players balance security thoroughness with customer communication and trust management. Create financial consequences beyond immediate incident response costs.
3. Multi-Branch Coordination Operational Complexity
Distributed Challenges:
- 45 branches have different IT systems, network configurations, and security baselines
- Branch managers have semi-autonomous decision-making authority and may resist central security mandates
- Some branches located in rural areas with limited IT support requiring on-site visits
- Branch employee security awareness varies significantly - some understand cybersecurity, many do not
Workflow Dependencies:
- USB audit drive rotation schedule is complex: drives visit specific branch sequences based on geographic routing
- Some branches share resources (staff, equipment) creating cross-contamination vectors beyond USB
- Month-end processing requires coordinated timing across all branches - delays at one location affect entire network
- Banking software updates and patches must be scheduled to avoid customer service disruptions
Implementation: Expand scenario to emphasize 45-branch distributed network complexity. Introduce branch manager resistance to security changes, geographic distance creating response delays, and workflow dependencies requiring careful coordination. Make players manage enterprise banking incident response with varying local conditions.
4. Core Banking System Vendor Dependencies
Vendor Constraints:
- Core banking system (Fiserv, Jack Henry, or similar) controls critical customer account infrastructure
- Vendor technical support required for any system-level changes or malware remediation
- Vendor response times vary: emergency support 4-hour minimum, standard support 48 hours
- Vendor contracts limit bank’s ability to have third-party (non-vendor) technicians access core systems
Vendor Communications:
- Vendor security team must approve all remediation approaches to maintain system warranty and support
- Vendor may require customer data breach notification to other financial institutions using same platform
- Vendor technical support costs $300/hour for emergency incident response
- Vendor may be managing similar incidents at other banks creating resource competition
Implementation: Make core banking vendor a critical stakeholder with significant control over remediation approaches. Introduce vendor approval requirements, response delays, and cost considerations. Create tension between bank’s desire for rapid response and vendor’s methodical approach.
5. Federal Banking Examiner Involvement
Examiner Oversight:
- Federal banking examiner scheduled quarterly review happens to coincide with incident (unfortunate timing)
- Examiner requests detailed incident briefing, remediation timeline, and cybersecurity program documentation
- Examiner has authority to impose enforcement actions, fines, or increased oversight based on findings
- Examiner evaluates incident response as part of overall bank safety and soundness assessment
Regulatory Scrutiny:
- Examiner questions whether bank had adequate cybersecurity controls before incident
- Examiner reviews historical audit findings to determine if previous security recommendations were ignored
- Examiner coordinates with other agencies (FDIC, state regulators) creating multi-agency investigation
- Examiner may require independent third-party assessment of security program post-incident
Implementation: Add federal banking examiner as active stakeholder during incident response. Introduce examiner requests that consume management time, examiner questions about historical security practices, and potential enforcement action concerns. Make players balance incident remediation with examiner relationship management.
6. Customer Data Forensics Complexity
Breach Determination Challenges:
- Forensic analysis cannot definitively determine if customer data was exfiltrated or just accessed
- USB drives used by multiple employees across branches - attribution of specific data exposure unclear
- Raspberry Robin command-and-control traffic observed but encrypted - contents unknown
- External forensics firm provides range estimate: “Between 85,000 and 125,000 customer records potentially compromised”
Notification Dilemma:
- Notify 85,000 customers (minimum estimate) risking under-notification if forensics later show 125,000?
- Notify 125,000 customers (maximum estimate) creating unnecessary alarm for 40,000 who weren’t affected?
- Federal regulations require “reasonable determination” of affected individuals - what’s reasonable with ambiguous forensics?
- Over-notification costs $5/customer (letters, call center) = $625,000 for maximum estimate
Implementation: Make customer breach determination genuinely ambiguous requiring difficult judgment calls with incomplete forensic evidence. Introduce notification strategy decisions with financial and regulatory consequences. Create pressure to notify quickly (federal 30-day timeline) versus investigating thoroughly (6-8 weeks for definitive forensics).
7. Local Media and Public Relations Crisis
Media Attention:
- Local news investigates “cybersecurity incident at Community First Bank affecting customer accounts”
- Competitors leak information to media to damage Community First’s reputation
- Consumer advocacy groups demand transparency about customer data protection
- Social media amplifies customer concerns creating viral negative publicity
PR Challenges:
- Customer service representatives lack information to answer customer calls during investigation
- Marketing team wants to issue public statement but legal counsel recommends saying nothing until breach determination
- Customers posting negative reviews online affecting new account acquisition
- Media requesting interviews with bank executives during active incident response
Implementation: Add media and public relations complexity alongside technical incident response. Introduce customer service pressure, legal/marketing conflicts, social media reputation damage, and executive communication demands. Make players balance transparent customer communication with legal/regulatory caution.
Advanced Challenge Round Structure
Round 1: Discovery Under Banking Constraints (45-50 min)
Players must investigate Raspberry Robin with: - Multi-agency federal regulatory requirements constraining disclosure and investigation approaches - Customer trust crisis with major account holder threatening to leave - 45-branch distributed network coordination challenges - Core banking vendor dependencies limiting investigation access and methods
Success requires: Balancing technical investigation with customer relationship preservation, navigating multi-agency regulatory landscape, coordinating across distributed branch network, working within core banking system vendor constraints.
Round 2: Response Under Financial Sector Complexity (45-50 min)
Players must develop response strategy while managing: - Federal banking examiner involvement and oversight during active incident - Customer data breach determination with forensic uncertainty - Multi-branch operational continuity during month-end processing - Vendor approval requirements and response timeline dependencies - Customer account closures and business relationship losses
Success requires: Financial sector-appropriate response balancing customer data protection, regulatory compliance, operational continuity, and business preservation. Multi-stakeholder management across customers, regulators, vendors, branches, and media. Creative problem-solving within banking regulatory and operational constraints.
Round 3: Resolution Under Banking Scrutiny (45-50 min)
Players must complete incident response while handling: - Customer breach notification strategy with forensic ambiguity - Federal examiner assessment and potential enforcement actions - Media relations and public reputation management - Long-term banking cybersecurity program development within vendor and regulatory constraints - Customer trust rebuilding and account retention initiatives
Success requires: Closure of complex banking incident addressing security, compliance, customer service, regulatory, reputational, and business dimensions. Strategic thinking about financial sector cybersecurity program evolution. Learning extraction about banking-specific security challenges and multi-stakeholder coordination.
Advanced Challenge Debriefing
Focus Areas:
1. Federal Regulatory Compliance Under Uncertainty:
- How did the team navigate multi-agency banking regulatory requirements with incomplete information?
- What decision frameworks balanced federal notification timelines with investigation thoroughness?
- Were they able to maintain productive examiner relationships while managing incident?
- How did they communicate incident details to regulators while investigation was ongoing?
2. Customer Trust and Reputation Management:
- How effectively did the team balance customer communication transparency with legal/regulatory caution?
- What strategies worked for customer retention during and after breach notification?
- Were they able to manage media relations while conducting incident response?
- How did they address customer service representative information needs during uncertainty?
3. Multi-Branch Distributed Network Response:
- How well did the team coordinate security response across 45 distributed branch locations?
- What approaches worked for branch manager stakeholder management and change adoption?
- Were they able to maintain banking operational continuity across distributed network during remediation?
- How did they address varying branch security baselines and IT capabilities?
4. Core Banking Vendor Partnership:
- How effectively did the team navigate vendor approval requirements and support dependencies?
- What communication strategies built productive vendor relationships during crisis?
- Were they able to balance vendor methodical approach with incident urgency?
- How did they manage vendor costs and contract constraints during emergency response?
5. Banking Cybersecurity Program Maturity:
- What specific capabilities or approaches are unique to financial sector cybersecurity?
- How should banks structure security programs given customer trust primacy and regulatory oversight?
- What role should branch employees play in banking cybersecurity awareness and incident response?
- How can banks build security resilience within vendor dependencies and regulatory compliance frameworks?
Victory Conditions (Advanced Challenge):